

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>User Accounts &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="Ceph 对象网关的 S3 API" href="../s3/" />
    <link rel="prev" title="管理指南" href="../admin/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Ceph 对象网关</a></li>
      <li class="breadcrumb-item active">User Accounts</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/radosgw/account.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zone-features/">域的功能</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">用户账户</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#account-root-user">Account Root User</a></li>
<li class="toctree-l3"><a class="reference internal" href="#resource-ownership">Resource Ownership</a></li>
<li class="toctree-l3"><a class="reference internal" href="#account-ids">Account IDs</a></li>
<li class="toctree-l3"><a class="reference internal" href="#iam-policy">IAM Policy</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#principals">Principals</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#tenant-isolation">Tenant Isolation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#account-management">Account Management</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#create-an-account">Create an Account</a></li>
<li class="toctree-l4"><a class="reference internal" href="#create-an-account-root-user">Create an Account Root User</a></li>
<li class="toctree-l4"><a class="reference internal" href="#delete-an-account">Delete an Account</a></li>
<li class="toctree-l4"><a class="reference internal" href="#account-stats-quota">Account Stats/Quota</a></li>
<li class="toctree-l4"><a class="reference internal" href="#migrate-an-existing-user-into-an-account">Migrate an existing User into an Account</a></li>
<li class="toctree-l4"><a class="reference internal" href="#account-root-example">Account Root example</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iam/">IAM API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">数据缓存和 CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">与 KMIP 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metrics/">Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../uadk-accel/">UADK Acceleration for Compression</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucket_logging/">桶的日志记录</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="user-accounts">
<h1>User Accounts<a class="headerlink" href="#user-accounts" title="Permalink to this heading"></a></h1>
<div class="versionadded">
<p><span class="versionmodified added">New in version Squid.</span></p>
</div>
<p>The Ceph Object Gateway supports <em>user accounts</em> as an optional feature to
enable the self-service management of <a class="reference internal" href="../admin/#radosgw-user-management"><span class="std std-ref">Users</span></a>,
Groups and <a class="reference external" href="../role/">Roles</a> similar to those in <a class="reference external" href="https://aws.amazon.com/iam/">AWS Identity and Access Management</a>
(IAM).</p>
<section id="account-root-user">
<span id="radosgw-account-root-user"></span><h2>Account Root User<a class="headerlink" href="#account-root-user" title="Permalink to this heading"></a></h2>
<p>Each account is managed by an <em>account root user</em>. Like normal users and roles,
accounts and account root users must be created by an administrator using
<code class="docutils literal notranslate"><span class="pre">radosgw-admin</span></code> or the <a class="reference external" href="../adminops/">Admin Ops API</a>.</p>
<p>The account root user has default permissions on all resources owned by
the account. The root user’s credentials (access and secret keys) can be
used with the <a class="reference external" href="../iam/">Ceph Object Gateway IAM API</a> to create additional IAM users
and roles for use with the <a class="reference external" href="../s3/">Ceph Object Gateway S3 API</a>, as well as to
manage their associated access keys and policies.</p>
<p>Account owners are encouraged to use this account root user for management
only, and create users and roles with fine-grained permissions for specific
applications.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>While the account root user does not require IAM policy to
access resources within the account, it is possible to add policy that
denies their access explicitly. Use Deny statements with caution.</p>
</div>
</section>
<section id="resource-ownership">
<h2>Resource Ownership<a class="headerlink" href="#resource-ownership" title="Permalink to this heading"></a></h2>
<p>When a normal (non-account) user creates buckets and uploads objects, those
resources are owned by the user. The associated S3 ACLs name that user as
both the owner and grantee, and those buckets are only visible to the owning
user in a <code class="docutils literal notranslate"><span class="pre">s3:ListBuckets</span></code> request.</p>
<p>In contrast, when users or roles belong to an account, the resources they
create are instead owned by the account itself. The associated S3 ACLs name
the account id as the owner and grantee, and those buckets are visible to
<code class="docutils literal notranslate"><span class="pre">s3:ListBuckets</span></code> requests sent by any user or role in that account.</p>
<p>Because the resources are owned by the account rather than its users, all
usage statistics and quota enforcement apply to the account as a whole rather
than its individual users.</p>
</section>
<section id="account-ids">
<h2>Account IDs<a class="headerlink" href="#account-ids" title="Permalink to this heading"></a></h2>
<p>Account identifiers can be used in several places that otherwise accept
User IDs or tenant names, so Account IDs use a special format to avoid
ambiguity: the string <code class="docutils literal notranslate"><span class="pre">RGW</span></code> followed by 17 numeric digits like
<code class="docutils literal notranslate"><span class="pre">RGW33567154695143645</span></code>. An Account ID in that format is randomly generated
upon account creation if one is not specified.</p>
<p>Account IDs are commonly found in the <a class="reference external" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html">Amazon Resource Names</a> (ARNs) of IAM
policy documents. For example, <code class="docutils literal notranslate"><span class="pre">arn:aws:iam::RGW33567154695143645:user/A</span></code>
refers to an IAM user named A in that account. The Ceph Object Gateway also
supports tenant names in that position.</p>
<p>Accounts IDs can also be used in ACLs for a <code class="docutils literal notranslate"><span class="pre">Grantee</span></code> of type <code class="docutils literal notranslate"><span class="pre">CanonicalUser</span></code>.
User IDs are also supported here.</p>
</section>
<section id="iam-policy">
<h2>IAM Policy<a class="headerlink" href="#iam-policy" title="Permalink to this heading"></a></h2>
<p>While non-account users are allowed to create buckets and upload objects by
default, account users start with no permissions at all.</p>
<p>Before an IAM user can perform API operations, some policy must be added to
allow it. The account root user can add identity policies to its users in
several ways.</p>
<ul class="simple">
<li><p>Add policy directly to the user with the <code class="docutils literal notranslate"><span class="pre">iam:PutUserPolicy</span></code> and
<code class="docutils literal notranslate"><span class="pre">iam:AttachUserPoliicy</span></code> actions.</p></li>
<li><p>Create an IAM group and add group policy with the <code class="docutils literal notranslate"><span class="pre">iam:PutGroupPolicy</span></code> and
<code class="docutils literal notranslate"><span class="pre">iam:AttachGroupPoliicy</span></code> actions. Users added to that group with the
<code class="docutils literal notranslate"><span class="pre">iam:AddUserToGroup</span></code> action will inherit all of the group’s policy.</p></li>
<li><p>Create an IAM role and add role policy with the <code class="docutils literal notranslate"><span class="pre">iam:PutRolePolicy</span></code> and
<code class="docutils literal notranslate"><span class="pre">iam:AttachRolePoliicy</span></code> actions. Users that assume this role with the
<code class="docutils literal notranslate"><span class="pre">sts:AssumeRole</span></code> and <code class="docutils literal notranslate"><span class="pre">sts:AssumeRoleWithWebIdentity</span></code> actions will inherit
all of the role’s policy.</p></li>
</ul>
<p>These identity policies are evaluated according to the rules in
<a class="reference external" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics">Evaluating policies within a single account</a> and
<a class="reference external" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html">Cross-account policy evaluation logic</a>.</p>
<section id="principals">
<h3>Principals<a class="headerlink" href="#principals" title="Permalink to this heading"></a></h3>
<p>The “Principal” ARNs in policy documents refer to users differently when they
belong to an account.</p>
<p>Outside of an account, user principals are named by user id such as
<code class="docutils literal notranslate"><span class="pre">arn:aws:iam:::user/uid</span></code> or <code class="docutils literal notranslate"><span class="pre">arn:aws:iam::tenantname:user/uid</span></code>, where
<code class="docutils literal notranslate"><span class="pre">uid</span></code> corresponds to the <code class="docutils literal notranslate"><span class="pre">--uid</span></code> argument from <code class="docutils literal notranslate"><span class="pre">radosgw-admin</span></code>.</p>
<p>Within an account, user principals instead use the user name, such as
<code class="docutils literal notranslate"><span class="pre">arn:aws:iam::RGW33567154695143645:user/name</span></code> where <code class="docutils literal notranslate"><span class="pre">name</span></code> corresponds
to the <code class="docutils literal notranslate"><span class="pre">--display-name</span></code> argument from <code class="docutils literal notranslate"><span class="pre">radosgw-admin</span></code>. Account users
continue to match the tenant form so that existing policy continues to work
when users are migrated into accounts.</p>
</section>
</section>
<section id="tenant-isolation">
<h2>Tenant Isolation<a class="headerlink" href="#tenant-isolation" title="Permalink to this heading"></a></h2>
<p>Like users, accounts can optionally belong to a tenant for namespace isolation
of buckets. For example, one account named “acct” can exist under a tenant “a”,
and a different account named “acct” can exist under tenant “b”. Refer to
<a class="reference internal" href="../multitenancy/#rgw-multitenancy"><span class="std std-ref">Multitenancy</span></a> for details.</p>
<p>A tenanted account can only contain users with the same tenant name.</p>
<p>Regardless of tenant, account IDs and email addresses must be globally unique.</p>
</section>
<section id="account-management">
<h2>Account Management<a class="headerlink" href="#account-management" title="Permalink to this heading"></a></h2>
<section id="create-an-account">
<h3>Create an Account<a class="headerlink" href="#create-an-account" title="Permalink to this heading"></a></h3>
<p>To create an account:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">account</span> <span class="n">create</span> <span class="p">[</span><span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">name</span><span class="p">}]</span> <span class="p">[</span><span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="nb">id</span><span class="p">}]</span> <span class="p">[</span><span class="o">--</span><span class="n">email</span><span class="o">=</span><span class="p">{</span><span class="n">email</span><span class="p">}]</span>
</pre></div>
</div>
</section>
<section id="create-an-account-root-user">
<h3>Create an Account Root User<a class="headerlink" href="#create-an-account-root-user" title="Permalink to this heading"></a></h3>
<p>To create an account root user:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">user</span> <span class="n">create</span> <span class="o">--</span><span class="n">uid</span><span class="o">=</span><span class="p">{</span><span class="n">userid</span><span class="p">}</span> <span class="o">--</span><span class="n">display</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="n">root</span> <span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="n">secret</span> <span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="n">access</span><span class="o">-</span><span class="n">key</span>
</pre></div>
</div>
</section>
<section id="delete-an-account">
<h3>Delete an Account<a class="headerlink" href="#delete-an-account" title="Permalink to this heading"></a></h3>
<p>To delete an account:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">account</span> <span class="n">rm</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span>
</pre></div>
</div>
</section>
<section id="account-stats-quota">
<h3>Account Stats/Quota<a class="headerlink" href="#account-stats-quota" title="Permalink to this heading"></a></h3>
<p>To view account stats:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">account</span> <span class="n">stats</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span> <span class="o">--</span><span class="n">sync</span><span class="o">-</span><span class="n">stats</span>
</pre></div>
</div>
<p>To enable an account quota:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">quota</span> <span class="nb">set</span> <span class="o">--</span><span class="n">quota</span><span class="o">-</span><span class="n">scope</span><span class="o">=</span><span class="n">account</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span> <span class="o">--</span><span class="nb">max</span><span class="o">-</span><span class="n">size</span><span class="o">=</span><span class="mi">10</span><span class="n">G</span>
<span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">quota</span> <span class="n">enable</span> <span class="o">--</span><span class="n">quota</span><span class="o">-</span><span class="n">scope</span><span class="o">=</span><span class="n">account</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span>
</pre></div>
</div>
<p>To enable a bucket quota for the account:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">quota</span> <span class="nb">set</span> <span class="o">--</span><span class="n">quota</span><span class="o">-</span><span class="n">scope</span><span class="o">=</span><span class="n">bucket</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span> <span class="o">--</span><span class="nb">max</span><span class="o">-</span><span class="n">objects</span><span class="o">=</span><span class="mi">1000000</span>
<span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">quota</span> <span class="n">enable</span> <span class="o">--</span><span class="n">quota</span><span class="o">-</span><span class="n">scope</span><span class="o">=</span><span class="n">bucket</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span>
</pre></div>
</div>
</section>
<section id="migrate-an-existing-user-into-an-account">
<h3>Migrate an existing User into an Account<a class="headerlink" href="#migrate-an-existing-user-into-an-account" title="Permalink to this heading"></a></h3>
<p>An existing user can be adopted into an account with <code class="docutils literal notranslate"><span class="pre">user</span> <span class="pre">modify</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">user</span> <span class="n">modify</span> <span class="o">--</span><span class="n">uid</span><span class="o">=</span><span class="p">{</span><span class="n">userid</span><span class="p">}</span> <span class="o">--</span><span class="n">account</span><span class="o">-</span><span class="nb">id</span><span class="o">=</span><span class="p">{</span><span class="n">accountid</span><span class="p">}</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Ownership of all of the user’s buckets will be transferred to
the account.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Account membership is permanent. Once added, users cannot be
removed from their account.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Ownership of the user’s notification topics will not be
transferred to the account. Notifications will continue to work, but
the topics will no longer be visible to SNS Topic APIs. Topics and
their associated bucket notifications can be migrated as described below
in <a class="reference internal" href="#migrating-notification-topics">Migrating Notification Topics</a>.</p>
</div>
<p>Because account users have no permissions by default, some identity policy must
be added to restore the user’s original permissions.</p>
<p>Alternatively, you may want to create a new account for each existing user. In
that case, you may want to add the <code class="docutils literal notranslate"><span class="pre">--account-root</span></code> option to make each user
the root user of their account.</p>
<section id="migrating-notification-topics">
<h4>Migrating Notification Topics<a class="headerlink" href="#migrating-notification-topics" title="Permalink to this heading"></a></h4>
<p>Account topics are supported only when the <code class="docutils literal notranslate"><span class="pre">notification_v2</span></code> feature is enabled,
as described in <a class="reference external" href="../notifications/">Bucket Notifications</a> and <a class="reference external" href="../zone-features/#supported-features">Supported Zone Features</a>.</p>
<p>1. <code class="docutils literal notranslate"><span class="pre">Migration</span> <span class="pre">Impact</span></code>: When a non-account user is migrated to an account, the
the existing notification topics remain accessible through the RadosGW admin API,
but the user loses access to them via the SNS Topic API. Despite this, the topics
remain functional, and bucket notifications will continue to be delivered as expected.</p>
<p>2. <code class="docutils literal notranslate"><span class="pre">Re-creation</span> <span class="pre">of</span> <span class="pre">Topics</span></code>: The account user should re-create the topics using
the same names. The old topics (now inaccessible) and the new account-owned topics
will coexist without interference.</p>
<p>3. <code class="docutils literal notranslate"><span class="pre">Updating</span> <span class="pre">Bucket</span> <span class="pre">Notification</span> <span class="pre">Configurations</span></code>: Buckets that are subscribed to
the old user-owned topics should be updated to use the new account-owned topics.
To prevent duplicate notifications, maintain the same notification IDs.
For example, if a bucket’s existing notification configuration is:</p>
<blockquote>
<div><div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span><span class="nt">&quot;TopicConfigurations&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nt">&quot;Id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ID1&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;TopicArn&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;arn:aws:sns:default::topic1&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;Events&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;s3:ObjectCreated:*&quot;</span><span class="p">]}]}</span>
</pre></div>
</div>
</div></blockquote>
<p>The updated configuration would be:</p>
<blockquote>
<div><div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span><span class="nt">&quot;TopicConfigurations&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nt">&quot;Id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ID1&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;TopicArn&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;arn:aws:sns:default:RGW00000000000000001:topic1&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;Events&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;s3:ObjectCreated:*&quot;</span><span class="p">]}]}</span>
</pre></div>
</div>
</div></blockquote>
<p>In this example, <cite>RGW00000000000000001</cite> is the account ID, <cite>topic1</cite> is the
topic name and <cite>ID1</cite> is the notification ID.</p>
<p>4. <code class="docutils literal notranslate"><span class="pre">Removing</span> <span class="pre">Old</span> <span class="pre">Topics</span></code>: Once no buckets are subscribed to the old user-owned topics,
they can be removed by an admin:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ radosgw-admin topic rm --topic topic1
</pre></div>
</div>
</section>
</section>
<section id="account-root-example">
<h3>Account Root example<a class="headerlink" href="#account-root-example" title="Permalink to this heading"></a></h3>
<p>The account root user’s credentials unlock the <a class="reference external" href="../iam/">Ceph Object Gateway IAM API</a>.</p>
<p>This example uses <a class="reference external" href="https://docs.aws.amazon.com/cli/latest/">awscli</a> to create an IAM user for S3 operations.</p>
<ol class="arabic">
<li><p>Create a profile for the account root user:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ aws --profile rgwroot configure set endpoint_url http://localhost:8000
$ aws --profile rgwroot configure
AWS Access Key ID [None]: {root access key}
AWS Secret Access Key [None]: {root secret key}
Default region name [None]: default
Default output format [None]:
</pre></div>
</div>
</li>
<li><p>Create an IAM user, add credentials, and attach a policy for S3 access:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ aws --profile rgwroot iam create-user --user-name Alice
{
    &quot;User&quot;: {
        &quot;Path&quot;: &quot;/&quot;,
        &quot;UserName&quot;: &quot;Alice&quot;,
        &quot;UserId&quot;: &quot;b580aa8e-14c7-4b6a-9dac-a30c640244b6&quot;,
        &quot;Arn&quot;: &quot;arn:aws:iam::RGW63136524507535818:user/Alice&quot;,
        &quot;CreateDate&quot;: &quot;2024-02-07T00:15:45.162786+00:00&quot;
    }
}
$ aws --profile rgwroot iam create-access-key --user-name Alice
{
    &quot;AccessKey&quot;: {
        &quot;UserName&quot;: &quot;Alice&quot;,
        &quot;AccessKeyId&quot;: &quot;JBNLYD5BDNRVV64J02E8&quot;,
        &quot;Status&quot;: &quot;Active&quot;,
        &quot;SecretAccessKey&quot;: &quot;SnHoE700kdNuT22K8Bhy2iL3DwZU0sUSDI1gUXHr&quot;,
        &quot;CreateDate&quot;: &quot;2024-02-07T00:16:34.679316+00:00&quot;
    }
}
$ aws --profile rgwroot iam attach-user-policy --user-name Alice \
      --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
</pre></div>
</div>
</li>
<li><p>Create a profile for the S3 user:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ aws --profile rgws3 configure set endpoint_url http://localhost:8000
$ aws --profile rgws3 configure
AWS Access Key ID [None]: JBNLYD5BDNRVV64J02E8
AWS Secret Access Key [None]: SnHoE700kdNuT22K8Bhy2iL3DwZU0sUSDI1gUXHr
Default region name [None]: default
Default output format [None]:
</pre></div>
</div>
</li>
<li><p>Use the S3 user profile to create a bucket:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ aws --profile rgws3 s3 mb s3://testbucket
make_bucket: testbucket
</pre></div>
</div>
</li>
</ol>
</section>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../admin/" class="btn btn-neutral float-left" title="管理指南" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../s3/" class="btn btn-neutral float-right" title="Ceph 对象网关的 S3 API" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>